DevOps Blog - Nicolas Paris

Docker Best Practice latest tag

DockerDevOps

This is part of Docker best practice, it is quite a famous advice, but you can still see latest tags in productions.

There is two parts of this advice, one for containers you are running in production, and the other based on your Dockerfile

This is a three parts serie about Docker best practice.

Dockerfile

All Dockerfile start with a based image sourced with the FROM command. It's tempting to start with FROM npm:latest for example, especially when you starting with docker, and test some solution. The latest image might work for you now but...

Break the immutable image rule

This is the main idea of Docker, a build should always give you the same image. meaning you can have a slightly different behavior between images. If you run an image based on php:latest, you will change php version as release goes.

Do it now or you will do it 2 years later anyway

Builds will break sone or later if you use composer or npm image to build assets, I guarantee you if you use npm:latest your build will break someday. You will need their fix it or find the tag you used at release time. When you use multi-build stages, another best practice, you even increase the chances to break one of your build.

Easier to follow version in production

Let's say you have multiple php application in production, once the version is specified, you can quickly check which builds need updates. You have scanner to automate this behavior, but it's an easier way to get the result.

Docker container

It doesn't matter which orchestrator you choose like Kubernetes or Docker Swarm, or even a docker-compose, you should never use latest to run container. It makes so difficult to know which version you are running, and rollback strategy will be more difficult. What I do, is in my CI/CD pipeline, with Gillab is to add the SHA1 of the commit as a tag. It's one solution, others exist, choose yours, but don't choose the default latest

Conclusion

Hope you understand now that latest is evil. I am guilty too, I've done this, but not anymore, never.